The Problem With Two-Factor Authentication

The failure of corporate security strategies to protect personal identity information from hackers resides more with system architecture than with authentication technology. Here's why.

For too long, enterprises have been looking for the perfect two-factor authentication. First, it was X.509, then hard tokens, then SMS, and now Push and biometrics. And still, hackers keep winning. Just look at what happened with Target, Neiman Marcus, Living Social, Snapchat, and others.

The problem isn't the two-factor authentication technology. To be more specific, it's not just the two-factor authentication. It's the full integration, which includes the storage, accessing, validation, and assertion of identity throughout the authentication process.

But don't take my word for it. The forensics on most recent hacks reveal that hackers did not break the authentication mechanism itself. Rather, they broke the integration -- the identity passing and storage. That tells me websites (cloud or enterprise-based) that demand bulletproof security need to understand how authentication (single- or two-factor) is provisioned, conducted, validated from enterprise information, and asserted to the final resource -- and ultimately how the trust is reused at other resources.

How the authentication is provisioned
By this, I mean how the ID itself is granted to the user and how the credentials are provided to the users. The authentication process (single- or two-factor) should be quantified and scrutinized for weaknesses. One of the best ways to increase security in this procedure is to remove all human interaction (think: how to remove help desk interaction). You can validate users based on enterprise data or third-party social IDs and other data sources. You can then grant users reusable two-factor authentication credentials such as an X.509 certificate, an identity card, a mobile OATH token, or just the device itself.

Ideally, the registration process should be browser-based, which enables communication to match the client's native language automatically. Too often, however, each of these functionalities is siloed (e.g., coded after the two-factor product is purchased), and this is where the hacks occur. The hackers are breaching the architecture, not the authentication mechanism.

How and where the authentication takes place
Too often the validation algorithm is hosted or housed on servers or services that are beyond an enterprise's security control. These servers and services need to be scrutinized, because it is usually much easier for a hacker to breach the actual identity collection form (web or other form) than the actual authentication mechanism itself via cross-site scripting, SQL injection, or another attack vector against the form collector. Of course, this raises a raft of additional questions. Who wrote these collection forms? Are they housed on secure, enterprise servers? Have the forms been pen tested? Were they written by an outsourced contract service or hosted on insecure servers?

How the authentication is validated from enterprise PII
Most of the recent attacks have targeted enterprise-held personally identifiable information (PII), in which two-factor authentication methods prompted the company to sync up or migrate PII to other holders. As the Snapchat breach of 4.6 million users' phone numbers demonstrated, organizations need to secure their PII with the same security they use to keep passwords and other authentication information safe. Authentication information is, by its nature, PII, and allowing other services, especially authentication services, to use this data is simply asking for trouble.

How the authenticated identity is validated
Many authentication methods were created before resources like cloud and native mobile applications existed. As a result, common authentication mechanisms, such as tokens, were designed to use dated authentication protocols, like RADIUS, for resource-to-data-store validation. This type of authentication usually assumes that there is a proxy between the resource and the user, which is not always possible in the cloud and with mobile apps. In response, enterprises have implemented hackable integration methodologies that introduce vulnerabilities in the credential collection and identity-passing processes for these new resources.

Cloud resources should be secured with cryptographically signed assertions, like SAML or WS-Fed; similar mechanisms, including cryptographically validated web services, can be used for identity passing to native mobile apps. But these mechanisms are only as good as the services that encompass the identity passing. If the authentication system is separate from the identity-passing system, your enterprise needs to ensure that this transfer process is secure each and every time.

Don't ignore user fatigue
Ideally, all systems that users access (including network, cloud, enterprise, and mobile), should be set up to conduct some sort of identity validation. But if the enterprise forces a high-friction authentication such as SMS, token, or telephony, where the user has to re-enter credentials every session, it's pretty much guaranteed that the user will find a way to circumvent the best mechanisms and/or burden the help desk with repeated account lockouts or two-factor registration requests.

To alleviate this burden, SSO is the best solution. Look at consolidating enterprise resources into mechanisms that lend themselves to portal access where a single authentication (preferably, a strong one) allows access to multiple resources. Role-based is ideal, depending on what resources a particular user should see.

Organizations that demand bulletproof security must understand that true security is not in the authentication process alone. It's only when the entire system architecture -- from provisioning and validation through asserting identity -- is addressed from a security perspective that personal information will be truly safe from attack.

Garret Grajek is a CISSP-certified security engineer with more than 20 years of experience in the information security and authentication space. As Chief Technical Officer and Chief Operating Officer for SecureAuth Corp., Garret is responsible for the company's identity ... View Full Bio

I think Duo Security's two-factor authentication may do things differently. However, I have yet to see an true expert write a review on this service, so I would definitely be interested in reading what the author has to say about it. https://www.duosecurity.com

The new approach looks good. Furthermore, the core concept behind is important - the security lies mainly with architecture from design perpsective instead of single piece of authentication technology. I am willing to see more articles describing it in more detail.

I totally agree, Li, that the Garret raised an issue that too often overlooked in the discussions of biometrics, tokens and passwords and other mutlficactor authentication technologies. You can have the best authentication in the world, but if the architecture isn't designed properly you're still vulnerable.

You got my point, Marilyn. Furthermore, I am a little bit pessimistic regarding security. You can improve security all the time by implementing new architectures and techniques but you will never caulk the gap - there is always cavity for the hackers.:-(

Two-factor authentication is an old concept that applies well to workstations, however, fails to protect data on mobile devices... A simple device left un-attended while open will compromise enterprise data. Presence-based real-time security offered by Secure Access Technologies provides breakthrough security and breakthrough user experience. www.SecureAccessTechnologies.com

Duo has very nice PUSH authentication - but as I stated - relying on a single form factor for authentication is setting the enterprise up for failure. THe key is too abstract the authenticaiton and then be able to select the form factor most appropriate, PUSH Notification being one of the choices. (THe others being SMS, Telephony, X.509, OATH MObile tokens, Hard Tokens, Gov't Issue Credentials, Smart Cards, Social IDs, etc.)

And most importantly - construct a solution - that allows rapid (and secure) delivery/deployment of these authentication methodologies. E.G. - as stated - this is where the hacks are occruing.

A best analysis on the two-factor authentication. However, a bidirectional approach (both from Server and Client communications) will give better solutions. VeriQR is such a solution addressing this - http://www.integritauk.com/veriQR.html

I live by the old saying that locks are for honest people. If someone wants in badly enough a lock is not going to stop them. The same goes for any authentication method. If you lock down your application well enough someone will turn to social engineering to get in. One thing I rarely see covered when talking about securing any assets is intelligent monitoring. The recent attacks on Target and Niemen Marcus don't seem to have been detected until after millions of records were lost. One thing I'd like to see addressed is how do you see the leak before the flood gates are fully open?

@SaneIt In light of your comment, I wonder if we should regard locks and this kind of authentication as a positional good. Its value is derived from others not having it. It's rather like those steering wheel locks sold as anti-theft protection on cars. They won't prevent a truly capable thief form taking your car. But if your car is not particularly valuable and is among others of equal value that do not have the extra protection, the thief may just go for the easiest break-in. However, when every driver starts using these things, then they'll make no difference.

Yes I believe that we should view it as a good practice but we should not rely on authentication as the sole source of protection. A majority of data loss/misuse comes from internal sources so part of the battle has to be monitoring and swift action when irregularities are detected.

Overall, a good article. However, I take issue with two things: first, user fatigue. There are new 2FA offerings that are largely invisible (see, for example, Toopher). When users don't have to keep track of a separate single-use item and they don't have to manually approve every request, they will flock to two-factor. And that brings me to my second nitpick: two-factor is useful after the data breach--perhaps even more important after your usernames and passwords are public information. If your account details are leaked, multi-factor authentication helps reduce the damage that can be done with your hacked credentials. Ultimately, we need more high quality two factor implementations, and, as you said, securing logins will be easier when we start funnelling all logins through a single point, reducing the attack surface.

What exactly do you mean by invisible? Does Toopher remember your credentials or cookies and automatically log you in on your mobile device? I could see a lot of holes in that security. Excellent point about the post-breach security though. I definitely agree that 2fa is an important step.

I use Toopher with LastPass and absolutly love it! What they mean by invisible is their automation feature. Toopher uses location awareness of your smartphone to automate authentication so that you don't have to take any extra steps - like having to type in any passcodes to complete the authentication process. It is the most user friendly 2fa I have experienced. Check out this video... it helped me better understand what Toopher does.

Yea, we tried SecureAuth and it was great, transparent 2factor that worked with all of our cloud and internal apps, sso and password reset included. Covered everything at a price point we could live with. bye bye rsa securid tokens

@BGordon1 I think the concept of invisible authentication is a bit tricky because no one else is doing it. Toopher can automate authentication requests based on your location so that future requests from the same location are invisibly approved. For example, if you're logging into your bank's website from your home computer, the bank would ask Toopher to authenticate, Toopher would ping your phone, and your phone will respond for you (assuming you've chosen to automate the same request in the past); your bank logs you in without you having to type in a one time password or any of that nonsense. It's still a second factor--it's just invisible. The Toopher site might explain it better than I can: https://www.toopher.com/.

If someone stole your phone AND knew where you did business, they would also need your username and password, so that is more like 3 or 4 ppints of failure. That is beside the point becuase you (person responsible for providing access to and protecting application(s) can add factors (1, 2, 3+...) and strength of those factors depending on the value of the data and the usability requirements. By having the strong auth and SSO abstracted away form the guts of the app, there is flexibility to respond to threats and tweak auth methods in real without touching all the apps every time. That is the beauty of what Garret is talking about. It is a fundamentally better way in every way.

I think that is exactly one of the points the author makes. Any authentication mechanism can be breached, thus it is imperative that their are options and flexibility available to easily move to another methodology. We should all accept and expect that over time there will be a breach of a given method, be it the Toopher method, or the Telephony / SMS / Push methods that have gained a lot of traction. When that happens, it needs to be simple to switch to a new methodology very quickly (click of a mouse?) without having to completely recode / rip and replace technology.

After a month long review of Toopher, Duo Security, Okta, SecureAuth and SecurID I can say that gartner was right about secureauth having the best customer service in the authentication space. Toopher support was non existent, okta sales were pushy as heck, securid was a workable dinosaur which left duo and secureauth. What secureauth put together was something that deployed quickly and worked for our use cases, duo deployed quickly too but only covered half of our use cases.

I know our folks and customers are big fans of Toopher. Lots of people using LastPass or KeePass (more on the former). I think two-factor authentication has a great place as part of a "defense in depth" approach, which starts with the data. That's what the hackers are going for, after all.

I agree with you completely, and think that the #1 hurdle for 2FA, is acceptance by the end user. I think most organizations gamble that productivity is more important than security until a hack occurrs. If you give your end users a technology that balances Productivity & Security, then organizations will adopt 2FA for themselves and for other user groups like contactors, customers, Before it's too late. Disclosure: I work for SecureAuth, the author of this post's company.

The problem is the authentication technology itself, not the outside architecture

First - thanks for the article, it's always good to open painful topics. I absolutely agree with Andrew's comment. Garret Grajek excellently identified and formulated several Achilles heels of authentication, bud I disagree with the formulation that "The problem is not in authentication"- I would formulate the main idea in the opposite way: "The problem is the authentication technology itself, not the outside architecture!"

Garret in his article correctly observed one architectural misconception. He uncovered that the authentication technology is not just composed of "identity verification act".

Many of you (does not matter if you are customer or developer) may already have noticed that the rest of Devils's hoof is being silently moved onto your shoulders.

And that's wrong. The authentication technology must offer a compact and unbreakable solution for entire life-cycle of your "cybernetic" identity – identity creation, validation/verification, deletion, lost, expiration and much more including ID provisioning!

That's why the US is coming with the NSTIC (National Strategy for Trusted Identities in Cyberspace - http://www.nist.gov/nstic/), why the European Union is coming with the SSEDIC activity (European eID - http://www.eid-ssedic.eu/).

Maybe one interesting information is coming for EU region – the SSEDIC has been completing work on formulating visions of future eID. This work is coming from 3-year SSEDIC analysis of existing authentication technologies and issues. Main principles of that future vision are incorporated into new strategy called DII – Distributed Identity Infrastructure. The final text of recommendation will be released soon.